On Wed, Aug 21, 2019 at 01:57:30PM -0000, Martijn Bakkes via FreeIPA-users wrote:
Adding logs with debug set to 6. Below will be server and client from the same request. The difference in timestamp between the request start on server and client corresponds to about the amount of time it takes for a password prompt to appear after entering username.
... SSSD_NSS SERVER logs ...
(Wed Aug 21 09:40:42 2019) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #24: Looking up [GID:3366580@<AD DOMAIN>] in cache (Wed Aug 21 09:40:47 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR #24: Returning [GID:3366580@<AD DOMAIN>] from cache
...
(Wed Aug 21 09:40:47 2019) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #25: Looking up [GID:3354727@<AD DOMAIN>] in cache (Wed Aug 21 09:40:53 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR #25: Returning [GID:3354727@<AD DOMAIN>] from cache
Those are lookups in the local cache and there should be even an index on those attributes. Is there an application on the IPA server doing heavy I/O or is there a chance that the IPA server is short on main memory and has to swap?
If there is a suffiencent amount of RAM you might want ot try to "Mount the cache in tmpfs" as described in the section with the same name in https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-i....
bye, Sumit